Frequently Asked Questions: Protection Against Ransomware

How does ransomware work?

Ransomware is a type of malware that, upon infecting a device, blocks access to the device or to some or all of the information stored on that device. To unlock the device or data, the user is required to pay a ransom, usually in crypto currency. The term ransomware covers mainly two types of malware: the so-called Windows blockers (they block the OS or browser with a pop-up window) and encryption-based ransomware. The term is also used for Trojan-downloaders, namely those that tend to download encryption ransomware after infecting the machine. Nowadays, encryption ransomware is widely referred to as just ransomware.

Is it malware?

Yes, ransomware is a type of malware, which mainly targets Windows-based systems (just like other types of malware). However, it is starting to attack Android-based devices as well. Quite often it is referred to as a ransomware virus or ransom virus but it actually comes in a form of a Trojan, which penetrates the machine in various ways, tricking users with the help of social engineering.

Is ransomware really a threat?

Unfortunately, yes. In 2016 alone, 62 new ransomware families (multiple samples with similar behavior or origin) appeared, each family’s modifications grew by more than 10-fold, with the users attacked twice as often — every 10 seconds.

What are the different ransomware types?

There are three main types of ransomware, and the first one is the most widely spread:

File-encrypting ransomware

Examples of this extortionate ransomware became prominent in May 2005. By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, and ever-increasing key-sizes. Encryption-based ransomware returned once again in late 2013 with the propagation of CryptoLocker and using the Bitcoin digital currency platform to collect the ransom money.

Blocking ransomware

This type doesn’t use encryption. Most famous ransomware of this type is Winlock. It trivially restricts access to the system by displaying pornographic images, and asks users to send a premium-rate SMS (costing around US$10) to receive the code to unlock the machine.

Leakware (also called Doxware)

This involves a blackmailing crypto virology attack that threatens victims to publish stolen information rather than deny them access to the compromised computer. In a leakware attack, malware extracts and sends sensitive information back to the attacker or alternatively, to a remote instance of the malware, and the attacker threatens to make the information public unless the victim pays the ransom.

How can I protect myself from Cryptolocker, Cryptowall, Locky, and other types of ransomware?

To protect your home or SOHO computers, install Acronis True Image 2017 New Generation and enable Acronis Active Protection™. Update the software when prompted to have the latest version because with each software update we also update heuristics for the Active Protection.

How do I remove ransomware after it is detected?

If your Acronis solution detects ransomware, you will be prompted to block it and then recover the damaged files. After you block the malicious process, it will stay disabled, and your data will be safe — you don’t need to worry about it. However, we do recommend using a good anti-malware solution to scan and remove the suspended malware from the machine.

Can I send you a ransomware sample?

Yes, if you are able to collect samples, please send them to aap@acronis.com. Each sample must be packed into a zip archive and password protected. Industry standard practice is to use the “infected” as the password. The more samples we get, the better our detection is going to be.

How does ransomware get on my computer?

There is a variety of ways. Most common is through an infected attachment in an email, when the user is tricked to open a file with a malicious script. Another way is through a malicious link which redirects the user into an infected or simply malicious website, which in turn infects the computer by way of a drive-by download though various vulnerabilities in the operating system and third-party software. While the first infection vector is easier to control by carefully checking all the emails and attachments, and not opening attachments form people you do not know, the second is much harder even for a savvy user. A good anti-malware solution coupled together with Acronis True Image 2017 New Generation is required to guarantee full protection against ransomware. Even if the anti-malware solution misses the threat, it will be stopped by Acronis Active Protection, and your data will be safe.

Should I pay the ransom?

We do not recommend this. By paying the ransom you motivate cybercriminals to continue their work because they see that it works. It is better to use Acronis True Image 2017 New Generation with Active Protection technology enabled. It detects ransomware thanks to the modern behavioral heuristics analysis and instantly restores your data while suspending the malicious process at the same time. Acronis True Image is also excellent backup software, so don’t forget to back up your data regularly to be completely on a safe side.

Yes, but malware cyber criminals are constantly updating and releasing new variants and families of their harmful software. It is recommended to stay up to date with the latest Acronis True Image updates.

Does it protect from all ransomware threats or only from the ones in a pre-defined list?

Acronis Active Protection does not use malware "signature" approach to detect ransomware. Rather, it focuses on activities on data files that may indicate an attack. Therefore, ransomware protection is much wider than just a predefined list. While no protection is perfect, this approach will cover many threats that other approaches would miss.

Can Active Protection work stand-alone, without backup?

Yes, it will run in the background as long as Acronis True Image 2017 New Generation is installed and the feature is turned on. The Acronis True Image user interface doesn’t need to be active for this protection against ransomware to work in the background.

How do I get my files back?

When Acronis Active Protection is enabled in Acronis True Image 2017 New Generation, it restores damaged files automatically. The product will detect ransomware, suggest to block it, and suggest to restore any damaged files. You just need to click the restore button and you will get all your files automatically back in their original locations.

What is the ultimate protection against ransomware?

All anti-malware vendors recommend using backup solutions, for example, Acronis True Image for consumers or Acronis Backup 12 for small business and corporate users. This is indeed true, however, cybercriminal started attacking backup solutions in order to make people pay. This is why you must be careful when selecting your backup software. Acronis True Image 2017 New Generation has the Acronis Active Protection technology, which not only detects ransomware, thanks to a modern behavioral heuristics analysis but also provides a robust self-protection functionality just in case if the bad guys try to interfere with the Acronis True Image Windows process. This guarantees that your backed up data is always secure. Other backup solutions, unfortunately, do not really provide any self-defense. You can it in an independent evaluation of our technology by Anti-Malware test lab: http://www.anti-malware-test.com/backup_restore_systems_self_protection_test_2017